码迷,mamicode.com
首页 > 其他好文 > 详细

pcap文件的文件头的link type

时间:2014-08-18 23:20:33      阅读:610      评论:0      收藏:0      [点我收藏+]

标签:des   http   os   io   strong   文件   for   ar   

http://www.tcpdump.org/linktypes.html

Link-layer header type values

LINKTYPE_ nameLINKTYPE_ valueCorresponding DLT_ nameDescription
LINKTYPE_NULL 0 DLT_NULL BSD loopback encapsulation; the link layer header is a 4-byte field, in host byte order, containing a PF_ value from socket.h for the network-layer protocol of the packet.

Note that ``host byte order‘‘ is the byte order of the machine on which the packets are captured, and the PF_ values are for the OS of the machine on which the packets are captured; if a live capture is being done, ``host byte order‘‘ is the byte order of the machine capturing the packets, and the PF_ values are those of the OS of the machine capturing the packets, but if a ``savefile‘‘ is being read, the byte order and PF_ values are not necessarily those of the machine reading the capture file.

LINKTYPE_ETHERNET 1 DLT_EN10MB IEEE 802.3 Ethernet (10Mb, 100Mb, 1000Mb, and up); the 10MB in the DLT_ name is historical.
LINKTYPE_AX25 3 DLT_AX25 AX.25 packet, with nothing preceding it.
LINKTYPE_IEEE802_5 6 DLT_IEEE802 IEEE 802.5 Token Ring; the IEEE802, without _5, in the DLT_ name is historical.
LINKTYPE_ARCNET_BSD 7 DLT_ARCNET ARCNET Data Packets, as described by the ARCNET Trade Association standard ATA 878.1-1999, but without the Starting Delimiter, Information Length, or Frame Check Sequence fields, and with only the first ISU of the Destination Identifier. For most packet types, ARCNET Trade Association draft standard ATA 878.2 is also used. See also RFC 1051 and RFC 1201; for RFC 1051 frames, ATA 878.2 is not used.
LINKTYPE_SLIP 8 DLT_SLIP SLIP, encapsulated with a LINKTYPE_SLIP header.
LINKTYPE_PPP 9 DLT_PPP PPP, as per RFC 1661 and RFC 1662; if the first 2 bytes are 0xff and 0x03, it‘s PPP in HDLC-like framing, with the PPP header following those two bytes, otherwise it‘s PPP without framing, and the packet begins with the PPP header.
LINKTYPE_FDDI 10 DLT_FDDI FDDI, as specified by ANSI INCITS 239-1994.
LINKTYPE_PPP_HDLC 50 DLT_PPP_SERIAL PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP with HDLC framing.
LINKTYPE_PPP_ETHER 51 DLT_PPP_ETHER PPPoE; the packet begins with a PPPoE header, as per RFC 2516.
LINKTYPE_ATM_RFC1483 100 DLT_ATM_RFC1483 RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2 LLC header.
LINKTYPE_RAW 101 DLT_RAW Raw IP; the packet begins with an IPv4 or IPv6 header, with the "version" field of the header indicating whether it‘s an IPv4 or IPv6 header.
LINKTYPE_C_HDLC 104 DLT_C_HDLC Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.
LINKTYPE_IEEE802_11 105 DLT_IEEE802_11 IEEE 802.11 wireless LAN.
LINKTYPE_FRELAY 107 DLT_FRELAY Frame Relay
LINKTYPE_LOOP 108 DLT_LOOP OpenBSD loopback encapsulation; the link-layer header is a 4-byte field, in network byte order, containing a PF_ value from OpenBSD‘s socket.h for the network-layer protocol of the packet.

Note that, if a ``savefile‘‘ is being read, those PF_ values are not necessarily those of the machine reading the capture file.

LINKTYPE_LINUX_SLL 113 DLT_LINUX_SLL Linux "cooked" capture encapsulation.
LINKTYPE_LTALK 114 DLT_LTALK Apple LocalTalk; the packet begins with an AppleTalk LocalTalk Link Access Protocol header, as described in chapter 1 of Inside AppleTalk, Second Edition.
LINKTYPE_PFLOG 117 DLT_PFLOG OpenBSD pflog; the link-layer header contains a "struct pfloghdr" structure, as defined by the host on which the file was saved. (This differs from operating system to operating system and release to release; there is nothing in the file to indicate what the layout of that structure is.)
LINKTYPE_IEEE802_11_PRISM 119 DLT_PRISM_HEADER Prism monitor mode information followed by an 802.11 header.
LINKTYPE_IP_OVER_FC 122 DLT_IP_OVER_FC RFC 2625 IP-over-Fibre Channel, with the link-layer header being the Network_Header as described in that RFC.
LINKTYPE_SUNATM 123 DLT_SUNATM ATM traffic, encapsulated as per the scheme used by SunATM devices.
LINKTYPE_IEEE802_11_RADIOTAP 127 DLT_IEEE802_11_RADIO Radiotap link-layer information followed by an 802.11 header.
LINKTYPE_ARCNET_LINUX 129 DLT_ARCNET_LINUX ARCNET Data Packets, as described by the ARCNET Trade Association standard ATA 878.1-1999, but without the Starting Delimiter, Information Length, or Frame Check Sequence fields, with only the first ISU of the Destination Identifier, and with an extra two-ISU "offset" field following the Destination Identifier. For most packet types, ARCNET Trade Association draft standard ATA 878.2 is also used; however, no exception frames are supplied, and reassembled frames, rather than fragments, are supplied. See also RFC 1051 and RFC 1201; for RFC 1051 frames, ATA 878.2 is not used.
LINKTYPE_APPLE_IP_OVER_IEEE1394 138 DLT_APPLE_IP_OVER_IEEE1394 Apple IP-over-IEEE 1394 cooked header.
LINKTYPE_MTP2_WITH_PHDR 139 DLT_MTP2_WITH_PHDR Signaling System 7 Message Transfer Part Level 2, as specified by ITU-T Recommendation Q.703, preceded by a pseudo-header.
LINKTYPE_MTP2 140 DLT_MTP2 Signaling System 7 Message Transfer Part Level 2, as specified by ITU-T Recommendation Q.703.
LINKTYPE_MTP3 141 DLT_MTP3 Signaling System 7 Message Transfer Part Level 3, as specified by ITU-T Recommendation Q.704, with no MTP2 header preceding the MTP3 packet.
LINKTYPE_SCCP 142 DLT_SCCP Signaling System 7 Signalling Connection Control Part, as specified by ITU-T Recommendation Q.711, ITU-T Recommendation Q.712, ITU-T Recommendation Q.713, and ITU-T Recommendation Q.714, with no MTP3 or MTP2 headers preceding the SCCP packet.
LINKTYPE_DOCSIS 143 DLT_DOCSIS DOCSIS MAC frames, as described by the DOCSIS 3.0 MAC and Upper Layer Protocols Interface Specification.
LINKTYPE_LINUX_IRDA 144 DLT_LINUX_IRDA Linux-IrDA packets, with a LINKTYPE_LINUX_IRDA header, with the payload for IrDA frames beginning with by the IrLAP header as defined by IrDA Data Specifications, including the IrDA Link Access Protocol specification.
LINKTYPE_USER0-LINKTYPE-USER15 147-162 DLT_USER0-DLT_USER15 Reserved for private use; see above.
LINKTYPE_IEEE802_11_AVS 163 DLT_IEEE802_11_RADIO_AVS AVS monitor mode information followed by an 802.11 header.
LINKTYPE_BACNET_MS_TP 165 DLT_BACNET_MS_TP BACnet MS/TP frames, as specified by section 9.3 MS/TP Frame Format of ANSI/ASHRAE Standard 135, BACnet® - A Data Communication Protocol for Building Automation and Control Networks, including the preamble and, if present, the Data CRC.
LINKTYPE_PPP_PPPD 166 DLT_PPP_PPPD PPP in HDLC-like encapsulation, but with the 0xff address byte replaced by a direction indication - 0x00 for incoming and 0x01 for outgoing.
LINKTYPE_GPRS_LLC 169 DLT_GPRS_LLC General Packet Radio Service Logical Link Control, as defined by 3GPP TS 04.64.
LINKTYPE_LINUX_LAPD 177 DLT_LINUX_LAPD Link Access Procedures on the D Channel (LAPD) frames, as specified by ITU-T Recommendation Q.920 and ITU-T Recommendation Q.921, captured via vISDN, with a LINKTYPE_LINUX_LAPD header, followed by the Q.921 frame, starting with the address field.
LINKTYPE_BLUETOOTH_HCI_H4 187 DLT_BLUETOOTH_HCI_H4 Bluetooth HCI UART transport layer; the frame contains an HCI packet indicator byte, as specified by the UART Transport Layer portion of the most recent Bluetooth Core specification, followed by an HCI packet of the specified packet type, as specified by the Host Controller Interface Functional Specification portion of the most recent Bluetooth Core Specification.
LINKTYPE_USB_LINUX 189 DLT_USB_LINUX USB packets, beginning with a Linux USB header, as specified by the struct usbmon_packet in the Documentation/usb/usbmon.txt file in the Linux source tree. Only the first 48 bytes of that header are present. All fields in the header are in the host byte order for the pcap file, as specified by the file‘s magic number, or for the section of the pcap-ng file, as specified by the Section Header Block.
LINKTYPE_PPI 192 DLT_PPI Per-Packet Information information, as specified by the Per-Packet Information Header Specification, followed by a packet with the LINKTYPE_ value specified by the pph_dlt field of that header.
LINKTYPE_IEEE802_15_4 195 DLT_IEEE802_15_4 IEEE 802.15.4 wireless Personal Area Network, with each packet having the FCS at the end of the frame.
LINKTYPE_SITA 196 DLT_SITA Various link-layer types, with a pseudo-header, for SITA.
LINKTYPE_ERF 197 DLT_ERF Various link-layer types, with a pseudo-header, for Endace DAG cards; encapsulates Endace ERF records.
LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR 201 DLT_BLUETOOTH_HCI_H4_WITH_PHDR Bluetooth HCI UART transport layer; the frame contains a 4-byte direction field, in network byte order (big-endian), the low-order bit of which is set if the frame was sent from the host to the controller and clear if the frame was received by the host from the controller, followed by an HCI packet indicator byte, as specified by the UART Transport Layer portion of the most recent Bluetooth Core specification, followed by an HCI packet of the specified packet type, as specified by the Host Controller Interface Functional Specification portion of the most recent Bluetooth Core Specification.
LINKTYPE_AX25_KISS 202 DLT_AX25_KISS AX.25 packet, with a 1-byte KISS header containing a type indicator.
LINKTYPE_LAPD 203 DLT_LAPD Link Access Procedures on the D Channel (LAPD) frames, as specified by ITU-T Recommendation Q.920 and ITU-T Recommendation Q.921, starting with the address field, with no pseudo-header.
LINKTYPE_PPP_WITH_DIR 204 DLT_PPP_WITH_DIR PPP, as per RFC 1661 and RFC 1662, preceded with a one-byte pseudo-header with a zero value meaning "received by this host" and a non-zero value meaning "sent by this host".
LINKTYPE_C_HDLC_WITH_DIR 205 DLT_C_HDLC_WITH_DIR Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547, preceded with a one-byte pseudo-header with a zero value meaning "received by this host" and a non-zero value meaning "sent by this host".
LINKTYPE_FRELAY_WITH_DIR 206 DLT_FRELAY_WITH_DIR Frame Relay, preceded with a one-byte pseudo-header with a zero value meaning "received by this host" and a non-zero value meaning "sent by this host".
LINKTYPE_IPMB_LINUX 209 DLT_IPMB_LINUX IPMB over an I2C circuit, with a Linux-specific pseudo-header.
LINKTYPE_IEEE802_15_4_NONASK_PHY 215 DLT_IEEE802_15_4_NONASK_PHY IEEE 802.15.4 wireless Personal Area Network, with each packet having the FCS at the end of the frame, and with the PHY-level data for non-ASK PHYs (4 octets of 0 as preamble, one octet of SFD, one octet of frame length + reserved bit) preceding the MAC-layer data (starting with the frame control field).
LINKTYPE_USB_LINUX_MMAPPED 220 DLT_USB_LINUX_MMAPPED USB packets, beginning with a Linux USB header, as specified by the struct usbmon_packet in the Documentation/usb/usbmon.txt file in the Linux source tree. All 64 bytes of the header are present. All fields in the header are in the host byte order for the pcap file, as specified by the file‘s magic number, or for the section of the pcap-ng file, as specified by the Section Header Block. For isochronous transfers, the ndesc field specifies the number of isochronous descriptors that follow.
LINKTYPE_FC_2 224 DLT_FC_2 Fibre Channel FC-2 frames, beginning with a Frame_Header.
LINKTYPE_FC_2_WITH_FRAME_DELIMS 225 DLT_FC_2_WITH_FRAME_DELIMS Fibre Channel FC-2 frames, beginning an encoding of the SOF, followed by a Frame_Header, and ending with an encoding of the SOF.

The encodings represent the frame delimiters as 4-byte sequences representing the corresponding ordered sets, with K28.5 represented as 0xBC, and the D symbols as the corresponding byte values; for example, SOFi2, which is K28.5 - D21.5 - D1.2 - D21.2, is represented as 0xBC 0xB5 0x55 0x55.

LINKTYPE_IPNET 226 DLT_IPNET Solaris ipnet pseudo-header, followed by an IPv4 or IPv6 datagram.
LINKTYPE_CAN_SOCKETCAN 227 DLT_CAN_SOCKETCAN CAN (Controller Area Network) frames, with a pseudo-header as supplied by Linux SocketCAN.
LINKTYPE_IPV4 228 DLT_IPV4 Raw IPv4; the packet begins with an IPv4 header.
LINKTYPE_IPV6 229 DLT_IPV6 Raw IPv6; the packet begins with an IPv6 header.
LINKTYPE_IEEE802_15_4_NOFCS 230 DLT_IEEE802_15_4_NOFCS IEEE 802.15.4 wireless Personal Area Network, without the FCS at the end of the frame.
LINKTYPE_DBUS 231 DLT_DBUS Raw D-Bus messages, starting with the endianness flag, followed by the message type, etc., but without the authentication handshake before the message sequence.
LINKTYPE_DVB_CI 235 DLT_DVB_CI DVB-CI (DVB Common Interface for communication between a PC Card module and a DVB receiver), with the message format specified by the PCAP format for DVB-CI specification.
LINKTYPE_MUX27010 236 DLT_MUX27010 Variant of 3GPP TS 27.010 multiplexing protocol (similar to, but not the same as, 27.010).
LINKTYPE_STANAG_5066_D_PDU 237 DLT_STANAG_5066_D_PDU D_PDUs as described by NATO standard STANAG 5066, starting with the synchronization sequence, and including both header and data CRCs. The current version of STANAG 5066 is backwards-compatible with the 1.0.2 version, although newer versions are classified.
LINKTYPE_NFLOG 239 DLT_NFLOG Linux netlink NETLINK NFLOG socket log messages.
LINKTYPE_NETANALYZER 240 DLT_NETANALYZER Pseudo-header for Hilscher Gesellschaft für Systemautomation mbH netANALYZER devices, followed by an Ethernet frame, beginning with the MAC header and ending with the FCS.
LINKTYPE_NETANALYZER_TRANSPARENT 241 DLT_NETANALYZER_TRANSPARENT Pseudo-header for Hilscher Gesellschaft für Systemautomation mbH netANALYZER devices, followed by an Ethernet frame, beginning with the preamble, SFD, and MAC header, and ending with the FCS.
LINKTYPE_IPOIB 242 DLT_IPOIB IP-over-InfiniBand, as specified by RFC 4391 section 6.
LINKTYPE_MPEG_2_TS 243 DLT_MPEG_2_TS MPEG-2 Transport Stream transport packets, as specified by ISO 13818-1/ITU-T Recommendation H.222.0 (see table 2-2 of section 2.4.3.2 "Transport Stream packet layer").
LINKTYPE_NG40 244 DLT_NG40 Pseudo-header for ng4T GmbH‘s UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as used by their ng40 protocol tester, followed by frames for the Frame Protocol as specified by 3GPP TS 25.427 for dedicated channels and 3GPP TS 25.435 for common/shared channels in the case of ATM AAL2 or UDP traffic, by SSCOP packets as specified by ITU-T Recommendation Q.2110 for ATM AAL5 traffic, and by NBAP packets for SCTP traffic.
LINKTYPE_NFC_LLCP 245 DLT_NFC_LLCP Pseudo-header for NFC LLCP packet captures, followed by frame data for the LLCP Protocol as specified by NFCForum-TS-LLCP_1.1.
LINKTYPE_INFINIBAND 247 DLT_INFINIBAND Raw InfiniBand frames, starting with the Local Routing Header, as specified in Chapter 5 "Data packet format" of InfiniBand™ Architectural Specification Release 1.2.1 Volume 1 - General Specifications.
LINKTYPE_SCTP 248 DLT_SCTP SCTP packets, as defined by RFC 4960, with no lower-level protocols such as IPv4 or IPv6.
LINKTYPE_USBPCAP 249 DLT_USBPCAP USB packets, beginning with a USBPcap header.
LINKTYPE_RTAC_SERIAL 250 DLT_RTAC_SERIAL Serial-line packet header for the Schweitzer Engineering Laboratories "RTAC" product, followed by a payload for one of a number of industrial control protocols.
LINKTYPE_BLUETOOTH_LE_LL 251 DLT_BLUETOOTH_LE_LL Bluetooth Low Energy air interface Link Layer packets, in the format described in section 2.1 "PACKET FORMAT" of volume 6 of the Bluetooth Specification Version 4.0 (see PDF page 2200), but without the Preamble.
LINKTYPE_NETLINK 253 DLT_NETLINK Linux Netlink capture encapsulation.
LINKTYPE_BLUETOOTH_LINUX_MONITOR 254 DLT_BLUETOOTH_LINUX_MONITOR Bluetooth Linux Monitor encapsulation of traffic for the BlueZ stack.
LINKTYPE_BLUETOOTH_BREDR_BB 255 DLT_BLUETOOTH_BREDR_BB Bluetooth Basic Rate and Enhanced Data Rate baseband packets.
LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR 256 DLT_BLUETOOTH_LE_LL_WITH_PHDR Bluetooth Low Energy link-layer packets.
LINKTYPE_PROFIBUS_DL 257 DLT_PROFIBUS_DL PROFIBUS data link layer packets, as specified by IEC standard 61158-6-3, beginning with the start delimiter, ending with the end delimiter, and including all octets between them.
LINKTYPE_PKTAP 258 DLT_PKTAP Apple PKTAP capture encapsulation.
LINKTYPE_EPON 259 DLT_EPON Ethernet-over-passive-optical-network packets, starting with the last 6 octets of the modified preamble as specified by 65.1.3.2 "Transmit" in Clause 65 of Section 5 of IEEE 802.3, followed immediately by an Ethernet frame.
LINKTYPE_IPMI_HPM_2 260 DLT_IPMI_HPM_2 IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format" in the PICMG HPM.2 specification. The time stamps for packets in this format must match the time stamps in the Trace Data 

pcap文件的文件头的link type,布布扣,bubuko.com

pcap文件的文件头的link type

标签:des   http   os   io   strong   文件   for   ar   

原文地址:http://www.cnblogs.com/jacklikedogs/p/3920588.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!